[nginx] SSL: added support for TLSv1.3 in ssl_protocols directive.

Sergey Kandaurov pluknet at nginx.com
Tue Apr 18 13:50:20 UTC 2017 

details:   http://hg.nginx.org/nginx/rev/08dc60979133
branches:  
changeset: 6981:08dc60979133
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Tue Apr 18 15:12:38 2017 +0300
description:
SSL: added support for TLSv1.3 in ssl_protocols directive.

Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.

diffstat:

 src/event/ngx_event_openssl.c            |  6 ++++++
 src/event/ngx_event_openssl.h            |  1 +
 src/http/modules/ngx_http_proxy_module.c |  1 +
 src/http/modules/ngx_http_ssl_module.c   |  1 +
 src/http/modules/ngx_http_uwsgi_module.c |  1 +
 src/mail/ngx_mail_ssl_module.c           |  1 +
 src/stream/ngx_stream_proxy_module.c     |  1 +
 src/stream/ngx_stream_ssl_module.c       |  1 +
 8 files changed, 13 insertions(+), 0 deletions(-)

diffs (93 lines):

diff -r dbb0c854e308 -r 08dc60979133 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Tue Apr 11 16:41:53 2017 +0300
+++ b/src/event/ngx_event_openssl.c	Tue Apr 18 15:12:38 2017 +0300
@@ -323,6 +323,12 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
         SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
     }
 #endif
+#ifdef SSL_OP_NO_TLSv1_3
+    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+    if (!(protocols & NGX_SSL_TLSv1_3)) {
+        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+    }
+#endif
 
 #ifdef SSL_OP_NO_COMPRESSION
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
diff -r dbb0c854e308 -r 08dc60979133 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Tue Apr 11 16:41:53 2017 +0300
+++ b/src/event/ngx_event_openssl.h	Tue Apr 18 15:12:38 2017 +0300
@@ -131,6 +131,7 @@ typedef struct {
 #define NGX_SSL_TLSv1    0x0008
 #define NGX_SSL_TLSv1_1  0x0010
 #define NGX_SSL_TLSv1_2  0x0020
+#define NGX_SSL_TLSv1_3  0x0040
 
 
 #define NGX_SSL_BUFFER   1
diff -r dbb0c854e308 -r 08dc60979133 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c	Tue Apr 11 16:41:53 2017 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c	Tue Apr 18 15:12:38 2017 +0300
@@ -235,6 +235,7 @@ static ngx_conf_bitmask_t  ngx_http_prox
     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
     { ngx_null_string, 0 }
 };
 
diff -r dbb0c854e308 -r 08dc60979133 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Tue Apr 11 16:41:53 2017 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c	Tue Apr 18 15:12:38 2017 +0300
@@ -57,6 +57,7 @@ static ngx_conf_bitmask_t  ngx_http_ssl_
     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
     { ngx_null_string, 0 }
 };
 
diff -r dbb0c854e308 -r 08dc60979133 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c	Tue Apr 11 16:41:53 2017 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c	Tue Apr 18 15:12:38 2017 +0300
@@ -129,6 +129,7 @@ static ngx_conf_bitmask_t  ngx_http_uwsg
     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
     { ngx_null_string, 0 }
 };
 
diff -r dbb0c854e308 -r 08dc60979133 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c	Tue Apr 11 16:41:53 2017 +0300
+++ b/src/mail/ngx_mail_ssl_module.c	Tue Apr 18 15:12:38 2017 +0300
@@ -42,6 +42,7 @@ static ngx_conf_bitmask_t  ngx_mail_ssl_
     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
     { ngx_null_string, 0 }
 };
 
diff -r dbb0c854e308 -r 08dc60979133 src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c	Tue Apr 11 16:41:53 2017 +0300
+++ b/src/stream/ngx_stream_proxy_module.c	Tue Apr 18 15:12:38 2017 +0300
@@ -103,6 +103,7 @@ static ngx_conf_bitmask_t  ngx_stream_pr
     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
     { ngx_null_string, 0 }
 };
 
diff -r dbb0c854e308 -r 08dc60979133 src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c	Tue Apr 11 16:41:53 2017 +0300
+++ b/src/stream/ngx_stream_ssl_module.c	Tue Apr 18 15:12:38 2017 +0300
@@ -45,6 +45,7 @@ static ngx_conf_bitmask_t  ngx_stream_ss
     { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
     { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
     { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+    { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
     { ngx_null_string, 0 }
 };

More information about the nginx-devel mailing list